Mumiganhu yeprojekti module yekubatanidza kune muturikiri wePHP7, yakagadzirirwa kuvandudza kuchengetedzwa kwenharaunda uye kuvhara zvikanganiso zvakajairika zvinotungamira mukusagadzikana mukumhanyisa PHP maapplication. Iyo module zvakare inobvumidza iwe kuti ugadzire chaiwo mapeche ekugadzirisa chaiwo matambudziko pasina kushandura kodhi kodhi yeasina njodzi application, iyo iri nyore kushandiswa mumazhinji ekubata masisitimu uko zvisingaite kuchengetedza ese evashandisi zvikumbiro kusvika zvino. Iyo module yakanyorwa muC, yakabatana muchimiro cheraibhurari yakagovaniswa ("extension=snuffleupagus.so" mu php.ini) uye ine rezinesi pasi pe LGPL 3.0.
Snuffleupagus inopa hurongwa hwemitemo iyo inobvumidza iwe kushandisa yakajairwa matemplate kuti uvandudze kuchengetedzeka, kana kugadzira yako wega mitemo yekudzora data yekupinza uye parameter yebasa. Semuenzaniso, mutemo wekuti βsp.disable_function.function(βsystemβ).param(βcommandβ).value_r(β[$|;&`\\n]β).drop();β inokutendera iwe kudzikamisa kushandiswa kweakakosha mavara mu system() basa nharo pasina kushandura application. Saizvozvowo, unogona kugadzira kuvhara kusasimba kunozivikanwa.
Tichitarisa nemiedzo yakaitwa nevagadziri, Snuffleupagus haimbodzikisi kuita. Kuti ive nechokwadi chekuchengetedza kwayo (kusagadzikana kunogoneka muchikamu chekuchengetedza kunogona kushanda seimwe vheji yekurwiswa), chirongwa chinoshandisa kunyatsoyedzwa kwega kwega kuzvipira mukugovera kwakasiyana, inoshandisa static ongororo masisitimu, uye kodhi inoumbwa uye inonyorwa kurerutsa kuongorora.
Dzakavakirwa-mukati nzira dzinopihwa kuvharisa makirasi ekusagadzikana senge nyaya, ne data serialization, kushandiswa kweiyo PHP mail () basa, kuvuza kweCookie zviri mukati panguva yeXSS kurwiswa, matambudziko nekuda kwekurodha mafaera ane executable code (semuenzaniso, mufomati. ), hurombo husina kurongeka nhamba chizvarwa uye zvisizvo XML inovaka.
Aya mamodhi anotevera anotsigirwa kuwedzera PHP kuchengetedza:
- Otomatiki gonesa "chengetedzo" uye "samesite" (CSRF dziviriro) mireza yeCookies, Cookie;
- Yakavakirwa-mukati seti yemitemo yekuona mitsetse yekurwiswa uye kukanganisa kwekushandisa;
- Yakamanikidzwa pasi rose activation ye "" (semuenzaniso, inovhara kuedza kutsanangura tambo paunenge uchitarisira kukosha kwegakava) uye kudzivirirwa kubva ;
- Default blocking (semuenzaniso, kurambidza "phar://") nerunyoro rwavo rwakajeka;
- Kurambidza kuita mafaira anonyorwa;
- Zvinyorwa zvitema uye zvichena zve eval;
- Inodiwa kugonesa TLS setifiketi yekutarisa kana uchishandisa
curl; - Kuwedzera HMAC kune serialized zvinhu kuti ive nechokwadi chekuti deerialization inotora iyo data yakachengetwa neyekutanga application;
- Kumbira kutema maitiro;
- Kuvharira kurodha kwemafaira ekunze mu libxml kuburikidza nezvinongedzo mumagwaro eXML;
- Kugona kubatanidza vabati vekunze (upload_validation) kutarisa uye kuongorora mafaera akaiswa;
Iyo purojekiti yakagadzirwa uye yakashandiswa kuchengetedza vashandisi muzvivakwa zveimwe yevakuru vekuFrance vanobata vanoshanda. kuti kungobatanidza Snuffleupagus kwaizodzivirira kubva kune dzakawanda dzenjodzi dzakaonekwa gore rino muDrupal, WordPress uye phpBB. Kusagadzikana muMagento neHorde kunogona kuvharwa nekugonesa iyo modhi
"sp.readonly_exec.enable()".
Source: opennet.ru